Why DDoS scrubbing-lanes?

With regards to scrubbing-lane approaches, years ago Internet Service Providers (ISP) realized, “Yes DDoS is a problem we will have to deal with now and in the future”. From some reports as early as the year 2000 ISPs began observing DDoS attacks traversing their networks. How did they see the effects of DDoS attacks - way back then?

Simple, they had already begun to deploy vast amounts of network infrastructure that supported NetFlow. From their infrastructure NetFlow records were obtained and forwarded to NetFlow Collectors. Running an analysis application using the NetFlow records, network engineers and technicians could view, monitor, report, trend, and alert based upon statistics that were collected from their infrastructures. They would detect points of congestion in their networks and make tertiary changes to the backbone to reduce and eliminate bottlenecks. They still use the same techniques today.

Searching for a Solution
As traffic fluctuations related to ongoing DDoS attacks became more commonplace; ISPs began searching for a solution to remove DDoS traffic from their networks. However, the options were limited and did not completely eliminate the problem. Instead of enabling the removal of DDoS traffic at the boarders (peer points) of their networks, the concept of “scrubbing” the DDoS traffic within their networks with the sole intention of eliminating the attack from affecting their downstream customers and their SLAs was born.

In other words ISPs accept the DDoS traffic from their peers and forward the DDoS traffic through their networks. Then, using BGP they would reroute all the traffic destined to the attack victim, through what is called a “scrubbing-lane”. The scrubbing-lane was intended to filter the DDoS traffic out from the traffic flow while allowing good traffic to be forwarded to its destination.

Ongoing challenge
This approach requires the usage of BGP route injection techniques and the GRE Tunnel approach; which is viewed as cumbersome and somewhat inefficient, requiring human intervention for BGP route injections and often blocks as much good user traffic as bad, DDoS traffic. If the deployed technology used to scrub traffic worked somewhat well in a scrubbing-lane approach, why wasn’t the technology deployed at ISP peer points or other strategic points in the network subsequently blocking the attack before they get in?

Simple - deploying a scrubbing-lane approach at the peer points will block just as much good traffic as bad; downstream customers would lose their legitimate user traffic in the process. ISPs that have commonly deployed the NetFlow/scrubbing-lane approach are still struggling with its inefficiencies and coming to realize that the scrubbing-lane approach doesn’t necessarily scale economically when we’re talking about scrubbing 40Gbps, 100Gbps or more of DDoS attack traffic.

Re-thinking DDoS protection in the ISP environment
Traditional on-demand and scrubbing-lane approaches can be replaced with real-time, inline defenses that eliminate the DDoS threat for providers and their customers. Corero First Line of Defense solutions provide always on DDoS protection, event reporting and analytics for Service providers that are looking for alternatives in defeating the DDoS challenge.

Corero SmartWall® Threat Defense System transparently blocks DDoS attack traffic before it enters-or-traverses the ISPs network. ISPs are taking advantage of the SmartWall® Threat Defense System and are now enabled to defeat DDoS attacks in real-time; before their customers are even aware an attack has taken place—allowing the good user traffic to flow unimpeded to its destination. This purpose built DDoS defense technology provides carrier class protection, and unlimited scalability for even the most robust provider networks. The secret: No false positives. The SmartWall ‘Do No Harm’ architecture, scales to virtually any bandwidth in increments of 10Gbps, removes all unwanted DDoS attack traffic, all without dropping legitimate traffic. Of course, for those ISPs that are still committed to using scrubbing lanes, SmartWall provides an excellent solution here as well.

Share this post:

You May Also Be Interested In:

Steve is a key security evangelist for Corero Network Security, having delivered hundreds of presentations and attack/defense demonstrations across the Globe. Steve has more than 25 years of computer networking and security experience with an extensive background in the deployment and implementation of next-generation security technologies. Steve is a recognized Subject Matter Expert on DDoS attack tools and methodologies including defense technologies and approaches. You can usually find Steve speaking to network and security professionals within highly regarded organizations such as; InfraGard, ISSA, ISACA, Tech-Security Conferences, Interop, SecureWorld, RSA, SANs, IANS, GTRA and numerous other venues.